Published: 06/05/2004, Volume II4, No. 5904 Page 28

Simon White cuts through the confusion that often surrounds data protection legislation

The Freedom of Information Act 2000 and the Data Protection Act 1998 are often mentioned in the same breath.

They both go to the heart of information governance and are currently being reviewed by every NHS organisation.

The Freedom of Information Act works on the basis that public interest is best served by the full disclosure of information. Since October 31 2003, every NHS body has been required to establish a publication scheme listing the classes of information which it holds and respond to direct requests from the public relating to disclosure of information within those classes.

Organisations will not have to supply certain information, including:

information intended for future publication;

personal data (as defined by the Data Protection Act);

information likely to prejudice the commercial interests of the NHS body;

information relating to security and other internal matters.

From January next year the public's rights under the Freedom of Information Act will be extended, enabling it to request copies of any information held by NHS bodies.

While this 'right to know' is still subject to exemptions, each organisation will need to ensure that it understands exactly what information it holds, who is responsible for it, and where the most up-to-date version is stored.

The Soham murder trial and the facts surrounding Soham Community College's employment of Ian Huntley have put the Data Protection Act in the spotlight.

The case has led many organisations to question their compliance with the act, particularly when disclosing data to third parties such as the police, social services and intra-NHS. So what can NHS bodies do to ensure compliance?

The act provides that a 'data controller' (eg an NHS organisation) may only 'process' (this includes the obtaining, recording, holding, disclosure and destruction of data) the 'personal data' (anything that identifies a living individual, such as names, addresses etc and including statements of opinion plus paper as well as electronically held data) or 'sensitive personal data' (information such as racial or ethnic origin, religious or other similar beliefs, physical or mental health, sexual life, and the commission or alleged commission of any offence) of a 'data subject' (such as patients and staff ).

Organisations are required to comply with the eight data protection principles when processing personal data. For example, all personal data held must be processed lawfully, be accurate and, where necessary, kept up to date and held for no longer than is necessary (patient records are subject to the retention periods set out in the NHS For the Record 1999 circular).

If an organisation can satisfy itself that it has the benefit of one of the 'conditions' in the Data Protection Act enabling it to process personal data, it should be able to show that it is processing that data lawfully.

Schedule 2 of the act sets out these conditions and states that the processing of personal data will be lawful if your organisation is able to rely on one of the following conditions:

the 'data subject' has consented to the processing;

the processing is necessary for compliance with a legal obligation to which the organisation is subject;

the processing is necessary in order to protect the vital interests of the data subject;

the processing is necessary for the purposes of the legitimate interests pursued by the organisation or by the third party to whom the personal data may be disclosed, provided that the rights of the organisation or third party outweigh the rights of the data subject.

The Data Protection Act separates 'sensitive personal data' (such as details of a patient's medical conditions) from the less sensitive 'name and address' types of data.

So how do organisations store and, where necessary, disclose sensitive personal data lawfully?

NHS bodies must ensure that, with respect to sensitive personal data, as well as having the benefit of one of the schedule 2 conditions, they also have one of the schedule 3 'conditions'.

These include:

the organisation has the explicit consent of the data subject to hold or disclose sensitive personal data;

the processing is necessary for medical purposes; or nthe holding or disclosing is necessary to protect the vital interests of the data subject or someone else or for the exercise of any functions conferred by law.

NHS organisations are also subject to the principles set out in the Caldicott guidelines on patient-identifiable information.

These largely mirror the rules set out in the Data Protection Act, but provide useful guidelines for the protocols when 'sharing' information within and outside the NHS.

The failings of the police involved in vetting Ian Huntley's name have been widely publicised in the aftermath of the Soham case.

Humberside police deleted the allegations against Huntley on the basis that the act provides that personal data must be 'accurate', 'relevant', 'up to date' and 'kept for no longer than is necessary for any purpose'.

The details of Huntley's alleged offences fall within the definition of 'sensitive personal data' under the Data Protection Act. Humberside police required a schedule 2 condition and a schedule 3 condition to continue to hold and disclose Huntley's data.

The holding (and disclosure) of the allegations would clearly have been 'necessary for the purposes of legitimate interests pursued by the data controller [in this case, Humberside police] or by the third party [Soham Community College] to whom the data are disclosed'.

Further, the holding (and disclosure) of the allegations would also have the benefit of numerous schedule 3 conditions (not least that it was within the substantial public interest).

If an organisation is asked, or needs, to disclose personal data to third parties, these are the types of areas it will have to consider. It should also be noted that the Data Protection Act allows disclosure of data to prevent or detect crime.

Simon White is a solicitor in Browne Jacobson's trade and innovation group and specialises in data protection law.

On 24 June, HSJ will be publishing a special report on legal services.

For more information contact nick. edwards@emap. com